Cisco 857 and Sonicwall NSA 2600 VPN

Posted on 2014-01-27
Last Modified: 2014-02-20
I am trying to set up VPN through my NSA 2600, from an iPad, the NSA is connected to he 857 which is connected to the internet.

I have applied the following to my Cisco Router

ip nat inside source static tcp 1701 interface ATM0.1 1701
ip nat inside source static udp 500 interface ATM0.1 500
ip nat inside source static udp 5500 interface ATM0.1 5500
ip nat inside source static udp 1701 interface ATM0.1 1701

On the sonicwall I have.....

Enabled VPN
Enabled "WAN GroupVPN"
Authentication IKE with pre shared Secret
Proposals as Default
Created a group in AD called VPN Users, added myself to it, selected that group for Xauth (I use RADIUS with ldap to authenticate users)
Clicked set default root as this gateway.

Now when I am trying to VPN in I get these errors

1      UTC 01/27/2014 16:32:37.496      Debug      VPN IKE      SENDING>>>> ISAKMP OAK MM (InitCookie:0xb731b6b79cde278f RespCookie:0x2664a834586237a6, MsgID: 0x0) (KE, NATD, NATD, NON, VID, VID, VID), 500      xx.xx.xx.xx, 500,      VPN Policy: WAN GroupVPN              
2      UTC 01/27/2014 16:32:37.496      Info      VPN IKE      NAT Discovery : Peer IPSec Security Gateway behind a NAT/NAPT Device                                   
3      UTC 01/27/2014 16:32:37.496      Info      VPN IKE      NAT Discovery : Local IPSec Security Gateway behind a NAT/NAPT Device                                   
4      UTC 01/27/2014 16:32:37.496      Debug      VPN IKE      RECEIVED<<< ISAKMP OAK MM (InitCookie:0xb731b6b79cde278f RespCookie:0x2664a834586237a6, MsgID: 0x0) (KE, NON, NATD, NATD)      xx.xx.xx.xx, 500,, 500      VPN Policy: WAN GroupVPN              
5      UTC 01/27/2014 16:32:37.400      Debug      VPN IKE      SENDING>>>> ISAKMP OAK MM (InitCookie:0xb731b6b79cde278f RespCookie:0x2664a834586237a6, MsgID: 0x0) (SA, VID, VID), 500      xx.xx.xx.xx, 500,      VPN Policy: WAN GroupVPN              
6      UTC 01/27/2014 16:32:37.400      Info      VPN IKE      IKE Responder: Received Main Mode request (Phase 1)      xx.xx.xx.xx, 500,, 500                     
7      UTC 01/27/2014 16:32:37.400      Debug      VPN IKE      RECEIVED<<< ISAKMP OAK MM (InitCookie:0xb731b6b79cde278f RespCookie:0x0000000000000000, MsgID: 0x0) (SA, VID, VID, VID, VID, VID, VID, VID, VID, VID, VID, VID, VID)      xx.xx.xx.xx, 500,, 500

This is from an Ipad using L2tp VPN

Does anyone know what I can do to resolve this issue please.
Question by:CaptainGiblets
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Expert Comment

ID: 39813072
If this is for a client connection curious why you are trying to setup a site to site VPN as it looks in your configs? You would want to use a client VPN setup not a site to site. Also the iPad has SSL VPN app have you tried using that which is way more intuitive?

Author Comment

ID: 39814746
I have set up SSL-VPN but I only have 2 licences. I can always look at getting more but I am still having problems getting my VPN users out to the internet. They can get on internal things with the VPN set up and I have enabled Tunnel All.

However when I try to browse the internet I get the message

1      UTC 01/28/2014 11:57:39.320      Info      SSLVPN      SSLVPN Traffic, 49760, X0 dan james, 53                     
2      UTC 01/28/2014 11:55:13.912      Notice      Network Access      Web access request dropped, 49842, X0, 80, X1,      HTTP

I have set up a NAT between the SSLVPN and External
22      SSLVPN IP Pool      X1 IP      Any      Original      Any      Original      X0      X1      22            Enabled

And under firewall access rules I have this

      SSLVPN      >      WAN      1      SSLVPN IP Pool      Any      Any      Allow      All      None                                         Enabled        Edit this entry A service depends on this rule
 27      SSLVPN      >      WAN      2      Any      Any      Any      Allow      All      None                                                Edit this entry Delete this entry

What am I missing for SSLVPN external access?
LVL 25

Accepted Solution

Diverse IT earned 500 total points
ID: 39843867
Hi CaptainGiblets,

NetExtender in Tunnel All mode forces all traffic to be routed over the SSL-VPN adapter. To allow your end users access to internet over the UTM-SSLVPN, you will need to allow “WAN RemoteAccess Networks” (a network address object whose value acts like a default route), and the Tunnel All option must be selected on the Client Routes page.  The method below is appropriate when the administrator wants all of their NetExtender users to have their internet access provided through the SSL-VPN otherwise disable Tunnel All mode.  Be sure that you are not overwhelming the internet bandwidth at the location where the firewall is installed, as this traffic will be added to the other loads from inside the network.
Step 1: On the SonicWALL, go to SSL-VPN > Client Routes screen, enable the Tunnel All option in the drop down menu.

Step 2: On the Users > Local Groups screen, configure SSLVPN Services group and under tab “VPN Access,” add the object WAN RemoteAccess Networks.

Step 3: No custom rules are needed on the Firewall > Access Rules screen for this to work.  You can see auto-added rules in the section SSLVPN to WAN.
Let me know if you have any questions!
LVL 25

Expert Comment

by:Diverse IT
ID: 39847278
Have you tried my solution yet? (http:#a39843867)

Featured Post

Don't Miss ATEN at InfoComm 2017!

Visit booth #2167 to see the  new ATEN VM3200 32 x 32 Modular Matrix Switch. Other highlights include the VE8950 4K HDMI Over IP Extender, VS1912 12-Port DP Video Wall Media Player  and VK2100 ATEN Control System. Register now with Free Pass Code ATEN288!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question